Chapter 2. Installing and Enabling Cockpit
A primary Cockpit server is the machine that runs a Cockpit service with the user interface. A secondary server is a machine that is administered using Cockpit. It is possible to add one or more secondary hosts to the primary server.
Setting up a primary Cockpit server involves:
- Installing the cockpit packages.
- Opening the port for Cockpit.
- Starting the cockpit service.
After setting up, you can connect to Cockpit in a browser by typing the host name and port of the server. For example, from the primary host you can connect using
For setting up a primary server on Red Hat Enterprise Linux Atomic Host, see Installing Cockpit on Atomic Host.
2.1. Prerequisites for a Cockpit server
Before setting up Cockpit, ensure that you have:
- Installed Red Hat Enterprise Linux. If required, see the Installation Guide.
- Enabled networking. If required, see the Networking Guide.
- Registered the system and attached subscription. If required, see the Registering the System and Attaching Subscriptions section of the System Administrator’s Guide.
2.2. Setting up the primary Cockpit server
To install and enable Cockpit:
Enable the Extras and Optional repositories:
# subscription-manager repos --enable=rhel-7-server-extras-rpms # subscription-manager repos --enable=rhel-7-server-optional-rpms
This gives you access to supplementary Cockpit packages such as cockpit-dashboard.
Install the cockpit and cockpit-dashboard packages:
$ sudo yum install cockpit cockpit-dashboard
The cockpit-dashboard package provides the "Dashboard" tab in the interface. This package is optional, but is assumed to be installed in this guide.
Allow external connections to port 9090 through the firewall:
# firewall-cmd --add-port=9090/tcp # firewall-cmd --permanent --add-port=9090/tcp
Enable and start the
$ sudo systemctl enable cockpit.socket $ sudo systemctl start cockpit.socket
- Cockpit is now installed and running.
If you are installing Cockpit on a Red Hat Enterprise Linux Atomic Host system, see Installing Cockpit on Atomic Host.
2.3. Opening the Interface
Open a web browser and enter the server’s IP address with port 9090 in the address bar. If the web browser is on the Cockpit server, open
If you use a self-signed certificate, the browser issues a warning. Carefully check the certificate before accepting the warning. Consider using a certificate signed by a certificate authority (CA). For more information on certificates, see the An Overview of Certificates and Security section of the RHEL System Administrator’s Guide.
If you are sure you want to use self-signed certificates, then add this connection to the security exceptions. Click Advanced → Add Exception → Confirm Security Exception. After that, you will see the login screen.
- Log into the Cockpit interface with the same user name and password that you would normally use to log into the system.
2.4. Changing Expired Passwords
Cockpit supports changing expired passwords.
A fresh system installation with an expired password will prompt a password change during the first login. System administrators often use this feature to make sure users change their pre-assigned passwords to a custom password.
When logging in with an expired password, Cockpit prompts you to enter the current password a second time. Enter your current password and click Log In.
Choose a new password and click Login.
If you have issues logging in to Cockpit and the prompt for changing the password is not shown, check the
/etc/ssh/sshd_config file on the Cockpit Server. Make sure
ChallengeResponseAuthentication is set to
yes and restart
sshd with the
systemctl restart sshd command.
2.5. SSH two-factor authentication with Cockpit
Cockpit supports two-factor authentication. If you have protected your SSH server with two-factor authentication, the login screen will prompt you to enter your password and PIN pair.
Setting up SSH for two-factor authentication requires two components:
A company’s authenticator application that provides one-time passwords or PIN numbers. An example application is
Google Authenticator, which also has its own Pluggable Authentication Module (PAM).
- A server that validates the PINs from a dongle.
These two components are often implemented differently for different companies.
After setting up the authenticator application and the validation server, enable SSH two-factor authentication in Cockpit:
/etc/pam.d/sshdfile, right after the last
authline, add this line:
auth required <your_PAM_module>
<your_PAM_module>with the PAM module used by your application.
sshdservice with the
systemctl restart sshdcommand.
Cockpit will ask for your verification code the next time you log in.